[Snort-users] Updating Rules with PulledPork and no outside connection

Michael Steele michaels at ...9077...
Tue Sep 18 18:30:06 EDT 2012


Here is another run using -vvnT

 

Looking at the log it seems to be processing the rules twice.

 

Kindest regards,

Michael...

 

From: JJC [mailto:cummingsj at ...11827...] 
Sent: Tuesday, September 18, 2012 1:47 PM
To: Michael Steele
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Updating Rules with PulledPork and no outside
connection

 

Interesting, can you do a run with -vv and send the results?

 

JJC

On Tue, Sep 18, 2012 at 6:19 AM, Michael Steele <michaels at ...9077...>
wrote:

Attached is a log of the run. Attached is my pulledpork.conf and I'm looking
for something that is causing PulledPork to not process the opensource.gz
file in offline mode.

It appears to be a problem with PulledPork only processing the
snortrules-snapshot-2931.tar.gz  in offline mode as PulledPork processes
both files (opensource.gz and snortrules-snapshot-2931.tar.gz ) if you are
processing in online mode.

My run line includes switches: -nvT

Both files have been place in the: temp_path=

I'm assuming that PulledPork should process both files exactly as it does in
offline mode as it does in online mode, minus the file downloading, and as
long as the two files reside in the designated temp folder.

I'm not sure about checksums in offline mode as  PulledPork seems to process
the snortrules-snapshot-2931.tar.gz every time its ran in offline mode,
regardless of any checksum. I believe it does the same thing in in online
mode. The checksum only prevents PullePork  from downloading the file/s
again in online mode.


Kindest regards,
Michael...

-----Original Message-----
From: JJ Cummings [mailto:cummingsj at ...11827...]
Sent: Monday, September 17, 2012 12:48 PM
To: Michael Steele
Cc: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Updating Rules with PulledPork and no outside
connection

Place the tarballs in the defined temp path that you have in your
pulledpork.conf.. You will want to tell pp not to download and not to
validate checksums...

JJC

Sent from the iRoad

On Sep 17, 2012, at 7:02, "Michael Steele" <michaels at ...9077...> wrote:

> I've looked through the list archive and was unable to find any
> specifics on how to do this.
>
> I need to run PulledPork on a closed network.
>
> The run line I have is:
> 'perl d:\winids\pulledpork\pulledpork.pl -c
> d:\winids\pulledpork\etc\pulledpork.conf -v -T -n'
>
> I'm pretty sure the -n tells PulledPork to process locally?
>
> There are two files that need to be used and I'm not sure what to do
> with them?
> 1) snortrules-snapshot-2931.tar.gz
> 2) opensource.gz
>
>
> Do these lines need to be hashed out?
> rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<
> oinkco
> de>
> rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
>
>
> Just to verify; using the -T in the run line means I don't have to
> hash out the so_rules section below?
>
> sorule_path=/usr/local/lib/snort_dynamicrules/
> snort_path=/usr/local/bin/snort
> config_path=/usr/local/etc/snort/snort.conf
> sostub_path=/usr/local/etc/snort/rules/so_rules.rules
> distro=FreeBSD-8.1
>
> Kindest regards,
> Michael...
>
>
>
>
>
>
> ----------------------------------------------------------------------
> --------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond.
> Discussions will include endpoint security, mobile security and the
> latest in malware threats.
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
news!

----------------------------------------------------------------------------

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and threat
landscape has changed and how IT managers can respond. Discussions will
include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120918/fad836f7/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: log.txt
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120918/fad836f7/attachment.txt>


More information about the Snort-users mailing list